Fetch My Epic Token CAIHL draft report

HugoScore CAIHL Draft Report: Fetch My Epic Token

Status: Draft for human review Last reviewed: 2026-06-12 Review method: Public-source review of the official site, HowTo page, policy page, DIY message app page, GitHub repository, OAuth/token-flow source, EHR ZIP downloader source, MyChart message downloader source, MIT license, ONC Cures Act Final Rule page, and Epic on FHIR documentation. No hands-on login with a real MyChart account, security audit, real-PHI code execution, maintainer interview, or legal review. Service: Fetch My Epic Token Vendor: glmck13 / independent open-source project Category: Patient-controlled health records AI

Summary

Fetch My Epic Token is a free, MIT-licensed, source-available utility that helps patients log in to an Epic/MyChart system, obtain an OAuth access token and patient ID, and use those credentials to call Epic FHIR APIs directly. The site shows users how to use curl, Python, JavaScript, FHIR libraries, and AI-generated code over their own records. It also offers a server-side EHR ZIP downloader for visits, labs, reports, immunizations, and clinical notes, plus a newer DIY MyChart message downloader.

This is not a conventional clinical AI assistant. The core service does not appear to run its own LLM over patient data. Its HugoScore relevance is that it is AI-enabling patient agency infrastructure: it turns portal access into programmable access, then lets the patient choose what scripts, files, local tools, or downstream AI systems to use.

From a CAIHL perspective, the agency upside is very strong. Patients can move beyond a portal interface and retrieve their own data as evidence they can inspect, preserve, analyze, or use for advocacy. The agency risk is also strong: patients handle bearer tokens, patient IDs, server-side ZIP generation, copied MyChart session cookies, internal message APIs, generated code, and PHI downloads. The policy says the site does not collect, retain, or distribute personal information and uses no cookies, but the reviewed code shows the hosted helper workflows necessarily process tokens, API base URLs, patient IDs, PHI, and, for message retrieval, copied browser-session credentials while generating downloads.

Evidence Reviewed

• Official homepage: https://fetch-my-epic-token.org/
• HowTo page: https://fetch-my-epic-token.org/howto.shtml
• Policies page: https://fetch-my-epic-token.org/policies.shtml
• DIY message app page: https://fetch-my-epic-token.org/diy.shtml
• GitHub repository and README: https://github.com/glmck13/Fetch-My-Epic-Token
• Main OAuth/token page source: https://github.com/glmck13/Fetch-My-Epic-Token/blob/main/index.shtml
• EHR ZIP downloader source: https://raw.githubusercontent.com/glmck13/Fetch-My-Epic-Token/main/getEHR_async.py
• MyChart message downloader source: https://raw.githubusercontent.com/glmck13/Fetch-My-Epic-Token/main/backdoor/mychart_bundle.py
• MIT license: https://github.com/glmck13/Fetch-My-Epic-Token/blob/main/LICENSE
• ONC Cures Act Final Rule page: https://healthit.gov/regulations/cures-act-final-rule/
• Epic on FHIR: https://fhir.epic.com/

CAIHL Profile

• Who does this AI serve? Patient-directed and AI-enabling. The project serves patients, caregivers, and patient-developers who want direct access to their Epic/MyChart data. It is not an institutional workflow product, and the core utility is not itself an AI clinical assistant.
• Can patients tell AI is involved? Partial. AI appears in the HowTo page's AI code-generation prompt and in the DIY message app's origin story, but the main token and FHIR retrieval flow is conventional OAuth/API tooling.
• Can patients meaningfully choose? Yes, for technically capable users. Use is voluntary and patient-initiated, but practical use requires comfort with OAuth tokens, scripts, shell variables, browser developer tools, FHIR JSON, and PHI handling.
• Can patients correct or challenge what the AI produces? Not applicable to the core retrieval tool, partial downstream. Fetch My Epic Token retrieves records and exposes data. Correction of source records still depends on the institution, and any AI output depends on external tools the patient chooses.
• Does it help patients understand or act? Yes. It helps patients pull visits, labs, reports, clinical notes, immunizations, and messages into reusable files or scripts for review, preparation, advocacy, archiving, or downstream analysis.

Agency Interpretation

Fetch My Epic Token is agency-expanding because it converts a formal interoperability right into something a patient can actually use. It gives the patient the token, the patient ID, the API base URL, and concrete examples. That shifts the patient from portal viewer to data actor.

The strongest CAIHL value is strategic action. A patient can assemble their own longitudinal evidence file, check what is available through FHIR, preserve clinical notes, explore labs, or prepare for a visit without waiting for a portal export workflow to meet their needs. The tool also invites patients to use AI as a coding partner rather than a health authority, which is a notable agency pattern.

The constraint is that this agency is technically gated and credential-heavy. The most powerful workflows require the patient to trust a hosted site with short-lived access tokens or copied MyChart session credentials. The message downloader reaches beyond standard FHIR by using internal MyChart message APIs after the user copies a network request from browser developer tools. That may unlock data patients care about, but it also creates a high-trust security and policy moment.

Key Unknowns

• Whether the live hosted service matches the public GitHub source exactly.
• Whether server logs capture access tokens, patient IDs, API base URLs, copied cURL commands, cookies, PHI file names, or error payloads.
• Whether the EHR ZIP and message downloader workflows have been independently reviewed for security, retention, and temp-file handling.
• Whether users receive enough warning before posting bearer tokens or MyChart session cookies to the hosted site.
• Whether the MyChart message downloader creates terms, account, or policy risks for users at particular health systems. HugoScore does not make a legal conclusion.
• Whether the tool is usable for nontechnical patients, disabled users, low-literacy users, non-English users, and caregivers with proxy access.
• Whether AI-generated scripts suggested by the HowTo page safely handle PHI, tokens, logs, errors, and incomplete FHIR responses.

Publication Recommendation

Ready for human review as a draft profile, with scope language kept visible. Publish as "patient-directed record access and AI-enabling interoperability utility," not as a conventional health AI assistant. Confidence should remain medium until the live code path, server logging, token-retention behavior, user-warning language, and MyChart message-downloader workflow are reviewed.